[Security-sig] Unified TLS API for Python
Christian Heimes
christian at cheimes.de
Fri Jan 13 11:46:54 EST 2017
On 2017-01-13 17:37, Cory Benfield wrote:
>
>> On 13 Jan 2017, at 16:35, Christian Heimes <christian at cheimes.de> wrote:
>>
>> How would this work for OpenSSL? In OpenSSL the SNI callback replaces
>> the SSL_CTX of a SSL socket pointer with another SSL_CTX. The new
>> SSL_CTX takes care of cipher negotiation, certs and other handshake
>> details. The SSL_CTX should be reused in order to benefit from cached
>> certs, HSM stuff and cached sessions. OpenSSL binds sessions to SSL_CTX
>> instances.
>>
>> A callback looks more like this:
>>
>> contexts = {
>> 'www.example.org': SSLContext(cert1, key1),
>> 'internal.example.com': SSLContext(cert2, key2),
>> }
>>
>> def sni_callback(sock, hostname):
>> sock.context = contexts[hostname]
>
> If the goal is to keep those contexts static, the best thing to do is to cache the context based on the configuration. Because configurations should be static they should be hashable, which would mean that the ServerContext can keep an internal dictionary of {configuration: SSLContext}. When the new configuration is returned, it can simply pull the context out of the cache as needed.
You lost me and I'm tired. My brain is no longer able to follow. I'm
calling it a day. A working example or PoC might help to understand your
point... :)
Christian
More information about the Security-SIG
mailing list